cosign wiki:CosignCookies
From cosign wiki
Cosign Cookies
There are two different classes of cookie used by Cosign: a login cookie and a service cookie. Both cookies are host cookies, meaning that only the host that sets them has access to retrieve them. New cookie values consist of 128 random characters. The backslash character / is reserved by Cosign as a separator and is not permitted as a random character. These strings are generated using OpenSSL.
Login Cookies
Login cookies are the keys by which a given browser identifies itself to the cosign server, and are generated by the CGI. They are of the format:
cosign=[128 character string of random bytes]/time_the_cookie_was_generated/registration_count
An example is:
cosign=4qkW7lHyvaVThEzuOxss28cQwURP846TFSs+TnanvI2P/1132593978/1
A time stamp is used to ensure that old login cookies retained by certain browsers can still be refreshed. If a login cookie is older than the default of 24 hours, a new cookie is issued. The registration count is used in the detection of register loops. If a user visits the login pages more than MAXLOOPCOUNT (10) times in LOOPWINDOW (30) seconds, their browser is redirected to a loop-breaking page to advise them of the registration problem.
Service Cookies
Service cookies are the keys by which a given browser identifies itself to the application server, and are generated by the filter. They are of the format:
cosign-service_name=[128 character string of random bytes]/time_the_cookie_was_generated
Upon creating a new cookie, the filter prepends cosign- to the service name, as defined by the filter's cosign service configuration. An example service cookie, in which the cosign service has been set to "example", looks like this:
cosign-example=oFxNMqPjNuSraSY+lIqDAzU1UDfsbp2JaHvm6mRP5jhRoIR...
A time stamp is used to ensure that old service cookies retained by certain browsers can still be refreshed. If a service cookie is older than the cookie expire time, which is set by the filter's configuration, a new cookie is issued.